9 comments

[ 3.6 ms ] story [ 29.6 ms ] thread
Would love you input whether I left any security holes.

Username/password are never passed back and forth, only the unique hash.

Hash is removed from the database once it’s used, old hashes that haven’t been used can’t be unless the database is hacked, but then you have bigger issues.

All database queries of the hash have been escaped to prevent XSS attacks.

I like this, but i wonder if there's a way to tie this to a Google/Facebook/Twitter account? I'm much more likely to already be logged into one of those devices on my phone...
Sure. You could have QR code point to a URL on your server that started the oauth login process and had the one time hash value passed as a parameter. That hash value would be put in the callback URL for the oauth process. Once you complete your normal oauth login your server takes the one time hash value and does the same update the db trick done here.

Aside: God, imagine if browser vendors had put a tiny bit of effort into password management or even just the UI around http auth back at the beginning. All sites could use http auth or whatever superceded it instead of their own login forms and this problem would seem just as stupid as it actually is.

Love the idea. Will implement in next version.
Is it just me, but are QR codes a solution in search of a problem? I see them everywhere, but I've never seen a single person use one.
I don't use them often but if I'm walking around and someone wants me to open a url on my phone for any reason (billboard, ad, store, restaurant, anything in print) then it better be really short or have the QR code right there for me to even think of bothering.

Still that means I probably use one maybe twice a month, but I would use them more if they were more widespread.

I expect most people are the same, no one types long URLs into their phones while reading them off a newspaper or billboard or store window do they?

I agree. I don't use them much. But they are a very useful way to share information easily. When I was in between business cards I created a qr code of a vcard of my contact info and saved it as the image for my lock screen.

I had an instant conversation topic with me at all times and people seemed to appreciate the creative use as well.

Thats a great idea. I'm going to do that for my lock screen.